IPsec and IKE configuration examples

Presentation

Three examples of configuration of the IP security features of Turbo IPsec instances are provided here:

  • Configuration of a static VPN.
  • Configuration of an IKE VPN with pre-shared key authentication.
  • Configuration of an IKE VPN with certificate authentication.

The three examples all use the same scenario which is described only once at the beginning of this chapter.

Scenario

Two Turbo IPsec gateways must secure traffic between two sites via the Internet in IPv4 and IPv6.

We will configure Gateway 1, as specified in the figure below:

../../../_images/ipsec-ike-configuration-examples.svg

Security configuration example

Requirements are as follows:

  • IPv4 traffic between zones A1 and B1 must be protected by AH
  • All IPv4 and IPv6 traffic between the two Turbo IPsec gateways must be protected by ESP in transport mode
  • No traffic (IPv4 and IPv6) is allowed between A1 and B2
  • IPv4 and IPv6 traffic between A1 and the rest of the Internet is not allowed
  • No traffic (IPv4 and IPv6) is allowed between A3 and outside site A

The VPN connecting gateway 1 to gateway 2 comprises the following rules:

  1. A1 B1 with AH mandatory for IPv4
  2. P1 P2 with ESP mandatory for IPv4
  3. P1 P2 with ESP mandatory for IPv6
  4. A1 B2 with no traffic allowed for IPv4
  5. A1 Internet with any traffic allowed for IPv4
  6. A1 B2 with no traffic allowed for IPv6
  7. A1 Internet with any traffic allowed for IPv6

In the examples below, we assume that we are creating the myconfig configuration.

Static VPN

  1. to 3

Identification of the requirements – Choice of a template – Security enabling

In this case, the template to use is the static one.

Enable IPsec using the following command:

router{conf:myconfig-sec}ipsec enable
  1. Pre-shared keys and certificates

    This step is not needed in the case of static VPNs.

  2. VPN Definition

    the following commands define a first VPN called static-vpn4 for IPv4 traffic and a second one called static-vpn6 for IPv6 traffic.

router{conf:myconfig-sec}vpn static-vpn4 static 20.0.0.1 30.0.0.1
router{conf:myconfig-sec}vpn static-vpn6 static 3abc::1 3def::1

The template used is the static one.

The IPv4 and IPv6 addresses of the VPN end-points are defined (P1 is the local gateway and P2 is the remote one).

CANAME is not needed as we are configuring a static VPN.

  1. and 7

IPsec rules Definition

In this example, there are 8 IPsec rules to define.

The first step consists in sorting the ipsec-rules so that overlapping definitions are correctly ordered. For instance, ipsec-rule 5 must have a lower priority than ipsec-rule 4 (and the same for rules 8 and 7).

Make sure ipsec-rules for IPv4 traffic are using the VPN configured to handle IPv4 traffic, same applies for IPv6 traffic.

ipsec-rule 1: A1 B1 with AH mandatory for IPv4

router{conf:myconfig-sec}ipsec-rule rule1 20.10.10.0/24 30.10.10.0/24 any ah tunnel static-vpn4

ipsec-rule 2: P1 P2 with ESP mandatory for IPv4

router{conf:myconfig-sec}ipsec-rule rule2 20.0.0.1 30.0.0.1 any esp transport static-vpn4 2000

ipsec-rule 3: P1 P2 with ESP mandatory for IPv6

router{conf:myconfig-sec}ipsec-rule rule3 3abc::1 3def::1 any esp transport static-vpn4 2000

ipsec-rule 4: A1 B2 with no traffic allowed for IPv4

router{conf:myconfig-sec}ipsec-rule rule4 20.10.10.0/24 30.10.20.0/24 any discard 2000

ipsec-rule 5: A1 Internet with any traffic allowed in clear for IPv4

router{conf:myconfig-sec}ipsec-rule rule5 20.10.10.0/24 0.0.0.0/0 any discard 2100ipsec-rule 7: A1 B2 with no traffic allowed for |ipv6|
router{conf:myconfig-sec}ipsec-rule rule6 3abc:1:a1::/64 3def:1:b2::/64 any discard 2000

ipsec-rule 8: A1 Internet with any traffic allowed for IPv6

router{conf:myconfig-sec}ipsec-rule rule7 3abc:1:a1::/64 ::/0 any discard 3000
  1. Manual addition of SAs

When static VPNs are used, the user must manually specify the corresponding security associations.

To add the SAs:
# SA definitions AH and ESP in both directions between the # two gateways – Definition of the VPN.
router{conf:myconfig-sec}sa ah 20.0.0.1 30.0.0.1 11001 tunnel hmac-md5 0x80f362ed9a0c690a531c62b37ea491c2
router{conf:myconfig-sec}sa ah 30.0.0.1 20.0.0.1 10001 tunnel hmac-md5 0x51ca91ea1712cbdacba592b05dbda124
router{conf:myconfig-sec}sa esp 20.0.0.1 30.0.0.1 11002 transport aes-cbc 0x843ebfdabdd8344dbd8e46b4255b1d32
router{conf:myconfig-sec}sa esp 30.0.0.1 20.0.0.1 10002 transport aes-cbc 0x4c99f318181a310b35c58763fb77ba99
router{conf:myconfig-sec}sa ah 3abc::1 3def::1 11003 tunnel hmac-sha1 0xa3037bd02ebfc006ac76f5c96fcf5be4909ad738
router{conf:myconfig-sec}sa ah 3def::1 3abc::1 10003 tunnel hmac-sha1 0x5d94862bf5bd671f5140e3709c7d20118a037ff6
router{conf:myconfig-sec}sa esp 3abc::1 3def::1 11004 tunnel 3des-cbc "th@tKey%iSmiNe,I'lLuseit"
router{conf:myconfig-sec}sa esp 3def::1 3abc::1 10004 tunnel 3des-cbc "eykeykeykeykeykeykeykeyk"
router{conf:myconfig-sec}sa esp 3abc::1 3def::1 11005 transport 3des-cbc "keykeykeykeykeykeykeykey"
router{conf:myconfig-sec}sa esp 3def::1 3abc::1 10005 transport 3des-cbc "eykeykeykeykeykeykeykeyk"
  1. Activation of the configuration

    Once the configuration has been completed, it can be applied using the apply conf myconfig command. The configuration is now the running configuration.

  2. 0 Activation at boot time

    If the current configuration behaves correctly, make it active at next boot time. The command is:

router{}copy conf running start

Dynamic VPN with pre-shared key authentication

We can use either the psk-lite or the psk-strong VPN template. Assuming the example requires strong security, we will select the psk-strong template.

SAs will be dynamically negotiated, via the IKE protocol.

  • Enable IPsec:
router{conf:myconfig}sec
router{conf:myconfig-sec}ipsec enable
  1. Define Pre-shared keys and certificates:
router{conf:myconfig}sec
router{conf:myconfig-sec}default user-fqdn myrouter@mydomain.com
  1. Share the key between gateway 1 and gateway 2:

    router{conf:myconfig-sec}psk 30.0.0.1 gonewiththe6wind
    # gonewiththe6wind is the pre-shared key with peer 30.0.0.1
    
Gateway 1 performs a pre-shared key based IKE negotiation with Gateway 2, which is identified by its IP address (30.0.0.1).
  1. Share the key between gateway 2 and gateway 1:

    router2{myconfig-sec}psk 20.0.0.1 gonewiththe6wind
    

    Gateway 1 is identified by its IP address (20.0.0.1).

  2. Define a VPN called psk1-vpn4 for IPv4 traffic with the ` psk-strong` template:

router{conf:myconfig-sec}vpn psk1-vpn4 psk-strong 20.0.0.1 30.0.0.1
  1. Define a VPN called psk1-vpn6 for IPv6 traffic with the ` psk-strong` template:
router{conf:myconfig-sec}vpn psk1-vpn6 psk-strong 3abc::1 3def::1

The |ipv4| and |ipv6| addresses of the |vpn| endpoints are defined (`P1` is
the local gateway, and `P2` is the remote one).
  1. Define IPsec rules:

    The IPsec rules are the same as for a manual (static) configuration, the only change is the name of the VPN to use.

    1. Define IPsec rule 1: A1 B1 with AH mandatory for IPv4
router{conf:myconfig-sec}ipsec-rule rule1 20.10.10.0/24 30.10.10.0/24 any ah tunnel psk1-vpn4

IPsec rule 2: P1 P2 with ESP mandatory for IPv4

router{conf:myconfig-sec}ipsec-rule rule2 20.0.0.1 30.0.0.1 any esp transport psk1-vpn4 2000

IPsec rule 3: P1 P2 with ESP mandatory for IPv6

router{conf:myconfig-sec}ipsec-rule rule3 3abc::1 3def::1 any esp transport psk1-vpn6 2000

IPsec rule 4: A1 B2 with no traffic allowed for IPv4

router{conf:myconfig-sec}ipsec-rule rule4 20.10.10.0/24 30.10.20.0/24 any discard 2000

IPsec rule 5: A1 Internet with any traffic allowed in clear for IPv4

router{conf:myconfig-sec}ipsec-rule rule5 20.10.10.0/24 0.0.0.0/0 any discard 2100

IPsec rule 6: A1 B2 with no traffic allowed for IPv6

router{conf:myconfig-sec}ipsec-rule rule7 3abc:1:a1::/64 3def:1:b2::/64 any discard 2000

IPsec rule 7: A1 Internet with any traffic allowed for IPv6

router{conf:myconfig-sec}ipsec-rule rule8 3abc:1:a1::/64 ::/0 any discard 3000
  1. Apply the configuration:

    router{conf:myconfig-sec}apply conf myconfig
    

    The configuration is now the running configuration.

  2. If the current configuration behaves correctly, make it active at next boot time:

    router{}copy conf running start
    

Dynamic VPN with certificate authentication

  1. to 3

Identification of the requirements – Choice of a template – Security enabling

In this case, the template to use could be the cer-lite one, or the cer-strong one. Assuming the example requires strong security, let’s select the cer-strong template.

  • Enable IPsec;

    router{conf:myconfig}sec
    router{conf:myconfig-sec}ipsec enable
    
  1. Pre-shared keys and certificates

To set up the Certification Authority:

router{conf:myconfig-certificates}ca-certificate dodge
-----BEGIN CERTIFICATE-----
MIICqDCCAhGgAwIBAgIBADANBgkqhkiG9w0BAQUFADA6MQswCQYDVQQGEwJGUjER
MA8GA1UEChMINldJTkQgU0ExGDAWBgNVBAMTDzZXSU5EIEF1dGhvcml0eTAeFw0w
MDA2MDExNDAzMDdaFw0yNTA1MjYxNDAzMDdaMDoxCzAJBgNVBAYTAkZSMREwDwYD
VQQKEwg2V0lORCBTQTEYMBYGA1UEAxMPNldJTkQgQXV0aG9yaXR5MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQD7k7lVBrb6ZGZWA01effGHsE7C5+sFwrOqSIEI
flpzjatRfd8ySzE54uob54x+pNlJ3uH88kt9YpS13BsDQbxo6VqwpRe1bbvYmZBF
SA+/itucHgP2PS1K6BHscediS3vZv4TdJzI5q/yy8KYPxhIBbTVO83wdCadOiygh
MV6IcQIDAQABo4G9MIG6MB0GA1UdDgQWBBQpMfdoivb2kbu5IqHJOSfmT34nHjBi
BgNVHSMEWzBZgBQpMfdoivb2kbu5IqHJOSfmT34nHqE+pDwwOjELMAkGA1UEBhMC
RlIxETAPBgNVBAoTCDZXSU5EIFNBMRgwFgYDVQQDEw82V0lORCBBdXRob3JpdHmC
AQAwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwGgYDVR0RBBMwEYIPZG9kZ2Uu
NndpbmQubmV0MA0GCSqGSIb3DQEBBQUAA4GBAPGY3YZorTPG3F0+c+Ut1t+OkoLS
xcWaR6J92GqWLedlZ49tGS/mP/71f5HQQC+lF6KffrMa1c6FcKx0YCLgunFesSg1
GXrTxN5vuD+XYaIP9+Us17kZO0g1lg7KGeAUZvfcylM+V4eQ+fR9EwrceD22ieXC
yN8PbYU1Vk/Tmoec
-----END CERTIFICATE-----
router{conf:myconfig-certificates}
  • Declare the certificate:

    router{conf:myconfig-certificates}my-certificate ananas@dodge
    -----BEGIN CERTIFICATE-----
    MIIDDjCCAnegAwIBAgICLIMwDQYJKoZIhvcNAQEEBQAwOjELMAkGA1UEBhMCRlIx
    ETAPBgNVBAoTCDZXSU5EIFNBMRgwFgYDVQQDEw82V0lORCBBdXRob3JpdHkwHhcN
    MDYwMTI1MTEzMDUyWhcNMzEwMTE5MTEzMDUyWjCBiTELMAkGA1UEBhMCRlIxDjAM
    BgNVBAcTBVBhcmlzMREwDwYDVQQKEwg2V0lORCBTQTETMBEGA1UECxMKVGVzdHMg
    VW5pdDEXMBUGA1UEAxMOVGVjaG5pY2FsIFRlYW0xKTAnBgkqhkiG9w0BCQEWGnRl
    c3RzX3VuaXQuYW5hbmFzQDZ3aW5kLmZyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
    iQKBgQDNbbs/AUGsHAAcxam8GI5LIHAlzT0DbV8uYAhsV2MxtzeZ6i/2rfj+Fm61
    H54umRn8AljWhGJioPN9mUEa41M5WnurlHhXZqCE1pkTwcX6rf3tj+5lA18G4IWz
    mY8z3rzBnQp8vwQ3oMCIFgSVd+6NnEU2N4/V8FcR1ZeEmcT1JwIDAQABo4HSMIHP
    MB0GA1UdDgQWBBSsHFa9bqoVMEBYv71hw518KvNvaDBiBgNVHSMEWzBZgBQpMfdo
    ivb2kbu5IqHJOSfmT34nHqE+pDwwOjELMAkGA1UEBhMCRlIxETAPBgNVBAoTCDZX
    SU5EIFNBMRgwFgYDVQQDEw82V0lORCBBdXRob3JpdHmCAQAwCQYDVR0TBAIwADAL
    BgNVHQ8EBAMCBeAwMgYDVR0RBCswKYIQYW5hbmFzLjZ3aW5kLm5ldIEVYWRtaW4u
    YW5hbmFzQDZ3aW5kLmZyMA0GCSqGSIb3DQEBBAUAA4GBANjsrUx8tJCVU3H2xx0E
    FfWcswEzbdQLTCUeqg+0d1l0N/QMkcP5U+dtNO1jzY3D9frMxqumFvnBkvrtN6q4
    BTJ5XZwfhran7HpQOH2GfcyXAylIeIFFb5NActuGD57INvg09coN8BJcrcRFM5uk
    slHQ9wGgpLfVa2tZCLCjYldX
    -----END CERTIFICATE-----
    router{conf:myconfig-certificates}my-private-key ananas@dodge
    -----BEGIN RSA PRIVATE KEY-----
    MIICXQIBAAKBgQDNbbs/AUGsHAAcxam8GI5LIHAlzT0DbV8uYAhsV2MxtzeZ6i/2
    rfj+Fm61H54umRn8AljWhGJioPN9mUEa41M5WnurlHhXZqCE1pkTwcX6rf3tj+5l
    A18G4IWzmY8z3rzBnQp8vwQ3oMCIFgSVd+6NnEU2N4/V8FcR1ZeEmcT1JwIDAQAB
    AoGBALvc1rj2kDUx4hRt2xxNpIslngmj2GEy+zEw12Mkw2zqralO1hAT5zmOEC4J
    PSJGFtI030NGC6dAo4u/xB8vtqF/uGdN1Z2Dpgy+3NRmUoXk18+IjR/u4eIUUAqp
    N5T4PAKIMd2R2Yp/AiuKgR9CwWgfmD9m1WjvalTIRTSSDPmxAkEA78V7bEzZZBDu
    GsDZMsaq8KZTYXZlBlX/uTlKLYWDQ6kypvjLW9/B0go3bUDsh4cA4Qlr6sFKlv+y
    Ys8UkUCOCQJBANtVMTYASy/0j0JWP3CwAc9aEc5KT4OU/7Ha1Zy0n5fqZl5ucaMm
    QLGvVmSUrwSSRNWlgzf9F1Zn2wBZ6jZcNa8CQH+/8oDDeVhNhO+QLKlXHKDXnbli
    AXWcwIGJurICXuvf7HL2QDOVRomIk/uMCfozvg4onO0ZS4qkdgEbYFP71zECQQDZ
    9sd4ysHtXjQf0GYrLj4eOXwIbYCnWqLftIEjwbv31FD29vqnD5Sq/3vzaG6lNFaD
    mn/UXAedLohMyQ4gB3KxAkASSMpDybKygoJffJvggcWNkzgW5CsxfgzUsC9nlkfK
    ADUYw2uEwSaJoDWKlD9UO1o6KaSwm67WO8/Ob6Apdzdi
    -----END RSA PRIVATE KEY-----
    router{conf:myconfig-certificates}
    
  • Assuming Turbo IPsec certificate was published by dodge, trust dodge:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}trust dodge
    
  1. and 6

VPN Definition and CA trusting

The following commands define a first VPN called cer1-vpn4 for IPv4 traffic and a second one called cer1-vpn6 for IPv6 traffic.

router{conf:myconfig-sec}vpn cer1-vpn4 cer-strong 20.0.0.1 30.0.0.1 certificate ananas@dodge
router{conf:myconfig-sec}vpn cer1-vpn6 cer-strong 3abc::1 3def::1 certificate ananas@dodge

The template used is cer-strong.

The IPv4 and IPv6 addresses of the VPN end-points are defined (P1 is the local gateway and P2 is the remote one).

dodge is the name of the certificate of the Certification Authority; while ananas@dodge is the router certificate to be used.

Use the trust command to specify that certificates delivered by this CA should be trusted.

router{conf:myconfig-sec}trust dodge
  1. and 8

IPsec rules Definition

The IPsec rules to define are the same as for the static and IKE with pre-shared key examples.

IPsec rule 1: A1 B1 with AH mandatory for IPv4

router{conf:myconfig-sec}ipsec-rule rule1 20.10.10.0/24 30.10.10.0/24 any ah tunnel cer1-vpn4

IPsec rule 2: P1 P2 with ESP mandatory for IPv4

router{conf:myconfig-sec}ipsec-rule rule2 20.0.0.1 30.0.0.1 any esp transport cer1-vpn4 2000

IPsec rule 3: P1 P2 with ESP mandatory for IPv6

router{conf:myconfig-sec}ipsec-rule rule3 3abc::1 3def::1 any esp transport cer1-vpn6 2000

IPsec rule 4: A1 B2 with no traffic allowed for IPv4

router{conf:myconfig-sec}ipsec-rule rule4 20.10.10.0/24 30.10.20.0/24 any discard 2000

IPsec rule 5: A1 Internet with any traffic allowed in clear for IPv4

router{conf:myconfig-sec}ipsec-rule rule5 20.10.10.0/24 0.0.0.0/0 any discard 2100

IPsec rule 6: A1 B2 with no traffic allowed for IPv6

router{conf:myconfig-sec}ipsec-rule rule7 3abc:1:a1::/64 3def:1:b2::/64 any discard 2000

IPsec rule 7: A1 Internet with any traffic allowed for IPv6

router{conf:myconfig-sec}ipsec-rule rule8 3abc:1:a1::/64 ::/0 any discard 3000
  1. Manual addition of SAs

As the VPN is not static, no manual addition of SAs is required.

  1. 0 Activation of the configuration

    Once the configuration has been completed, it can applied using the apply conf myconfig command. The configuration is now the running configuration.

  2. 1 Activation at boot time

    If the current configuration behaves correctly, make it active at next boot time. The command is:

router{}copy conf running start

Protecting the routing protocol RIPng with IPsec

Overview

According to RFC 2080, RIPng does not have its own authentication mechanism. However, you can use IPsec in transport mode. Turbo IPsec uses static associations.

Example

../../../_images/ipsec-ripng.svg

Authenticating RIPng with IPsec

Example

Suppose we have configured RIPng in the rtg context:

  1. Check the configuration:

    router{conf:ipsec.6cf-rtg-dynamic}display
    #
    router ripng
      network eth0_0
      network eth1_0
    
  2. Enable IPsec on the public interface:

    router{conf:myconfig}sec
    router{conf:myconfig-sec}ipsec enable
    
  3. If you use Dynamic VPNs, define pre-shared keys and/or certificates.

  4. Define a first VPN called vpn6 for IPv6 traffic with a static template:

    router{conf:myconfig-sec}vpn vpnv6 static 2001:660:3008:1000::155 2001:660:3008:1000::160
    
  5. Define the following IPsec rule:

    router{conf:myconfig-sec}ipsec-rule RIPngAH fe80::/16 ::/0[521] udp ah transport vpnv6
    

    RIPng uses the link local addresses over UDP with destination port 521.

  6. If you use static VPNs, add Security Association definitions AH in both directions between the two gateways.

  7. Create the VPN:

    router{conf:myconfig-sec}sa ah fe80::209:c0ff:fe40:c055 fe80::200:84ff:fe60:50ef 1111 transport hmac-md5 0x000102030405060708090A0B0C0D1111
    router{conf:myconfig-sec}sa ah fe80::200:84ff:fe60:50ef fe80::209:c0ff:fe40:c055 1111 transport hmac-md5 0x000102030405060708090A0B0C0D1111
    router{conf:myconfig-sec}sa ah :: ff02::9 1111 transport hmac-md5 0x000102030405060708090A0B0C0D1111
    

    Note

    You can define only one rule for multicast mode. The source address is the unspecified address. The SPI and the secret can be identical since the addresses are different.

  8. Activate the configuration:

    router{conf:myconfig-sec}apply conf myconfig
    

    The configuration is now the current configuration.

  9. Configure the peer:

    router2{}display conf ipsec.6cf sec
    sec
    # AH SECURITY ASSOCIATIONS
     sa ah fe80::200:84ff:fe60:50ef fe80::209:c0ff:fe40:c055 1111 transport hmac-md5 0x000102030405060708090A0B0C0D1111
     sa ah fe80::209:c0ff:fe40:c055 fe80::200:84ff:fe60:50ef 1111 transport hmac-md5 0x000102030405060708090A0B0C0D1111
     sa ah :: ff02::9 1111 transport hmac-md5 0x000102030405060708090A0B0C0D1111
    # ESP SECURITY ASSOCIATIONS
    # IPSEC RULES
     ipsec-rule RIPngAH fe80::/16 ::/0[521] udp ah transport vpnv6 2000
    # VPN
     vpn vpnv6 static 2001:660:3008:1000::160 2001:660:3008:1000::155
    

    Caution

    SPI keys must be the same on each peer.

  10. Check the result:

    router2{}show traffic eth0_0 pcap "proto AH"
    listening on eth0_0, link-type EN10MB (Ethernet), capture size 65535 bytes
    02:09:19.735769 00:09:c0:40:c0:55 > 33:33:00:00:00:09, ethertype IPv6 (0x86dd), length 130: fe80::209:c0ff:fe40:c055 > ff02::9: AH(spi=0x0000045a,seq=0x56): 521 > 521:  ripng-resp 2: 2001:660:3008:1000::/64 (1) 2001:660:3008:1100::/64 (1)
    02:09:28.986071 00:00:84:60:50:ef > 33:33:00:00:00:09, ethertype IPv6 (0x86dd), length 130: fe80::200:84ff:fe60:50ef > ff02::9: AH(spi=0x00000459,seq=0x51): 521 > 521:  ripng-resp 2: 2001:660:3008:1000::/64 (1) 2001:660:3008:2000::/64 (1)
    
    router2{}show routing ipv6 ripng
    Codes: R - RIPng, C - connected, S - Static, O - OSPF, B - BGP
           D - DEP, N - NAT-PT
    Sub-codes:
          (n) - normal, (s) - static, (d) - default, (r) - redistribute,
          (i) interface, (a/S) - aggregated/Suppressed
    
          Network      Next Hop                      Via     Metric Tag Time
    C(i) 2001:660:3008:1000::/64
                      ::                          self       1    0
    R(n) 2001:660:3008:1100::/64
                      fe80::209:c0ff:fe40:c055    eth0_0     2    0  02:21
    C(i) 2001:660:3008:2000::/64
                      ::                          self       1    0
    router2{}